OVERLAPS is an inexpensive, self-hosted, and easy to set-up web-based user interface for
Microsoft's Local Administrator Password Solution (LAPS).

The "Local Administrator Password Solution" (LAPS) provides a centralized storage of secrets/passwords in Active Directory (AD)...
LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks.
In particular, it mitigates the risk of lateral escalation that results when customers have the same administrative
local account and password combination on many computers.

What is Microsoft® LAPS?

The Microsoft Local Administrator Password Solution (LAPS) is a free tool for securing the Windows computers in your Active Directory environment.

By performing scheduled resets on the Local Administrator accounts on your domain-joined computers, LAPS helps to mitigate the threat
of "Pass-the-Hash" type attacks against your network. It generates new passwords completely randomly, bypassing the need for shared
or formulaic passwords, and stores them securely in Active Directory for the use of your Service Desk teams.

How does LAPS work?

LAPS is a Client Side Extension (CSE) to Group Policy released for free by Microsoft. It creates two
new protected attributes in your Active Directory schema for computer objects which are used to store the computer's Local Admin
password and expiry information. Then a small client DLL is deployed to your managed Windows computers and sits unused until a
Group Policy refresh operation occurs. At that point it performs its work:

LAPS retrieves the current expiry date and time for the Local Administrator password on the current computer from Active Directory.

If the expiry is not blank and is still in the future, nothing happens.

Otherwise a new password is required, so LAPS generates one completely randomly according to your specifications (set in Group Policy).

LAPS now attempts to record the new password in Active Directory, along with when the password will next expire.

If that was successful, it will only then actually change the password of the Local Administrator account.

Another client service on my devices?

Not really. Think of the term "client" in its loosest sense, it is just a small 146kb file on each computer which does literally
nothing until a Group Policy refresh asks it to carry out its work. So most of the time it isn't using any resources at all (apart
from a tiny bit of disk space).

What is a Pass-the-Hash attack?

Windows accounts are stored hashed (one-way encrypted) and are, in principal, accessible to anyone with access to that computer.
A pass-the-hash attack uses this hash in place of the actual password to access resources on other computers on your network with
the same account/password.

LAPS mitigates the threat of pass-the-hash attacks by ensuring each computer has a different password (and therefore different
hash) for their Local Administrator account.

Further Reading

LAPS Alternative User Interface

Improve your user experience with LAPS by partnering it with OVERLAPS, which provides and alternative to the
basic tools provided by LAPS to make retrieving and expiring passwords much easier and more accessible.

Your Service Desk teams will still need access to the passwords generated by LAPS,
and with OVERLAPS they can do that and more from anywhere and from
any device that they have network access from.

What is OVERLAPS?

OVERLAPS is a self-hosted Microsoft LAPS alternative UI (user interface), a way of retrieving and expiring LAPS managed passwords through
any modern browser on any network attached device. More than this, it removes the hassle of managing and maintaining Active Directory
permissions for LAPS attributes by allowing you to specify which users or groups have access per-OU.

How does OVERLAPS work?

You install it on a computer or server which will act as the web server for OVERLAPS.

Configure your Active Directory permissions to allow that computer the appropriate access to the LAPS password and expiry attributes.

Setup SSL/TLS encryption to make sure everything is secure.

Add users and/or groups, and specify what Organizational Units or containers that they are allows to access.

Users can now login to OVERLAPS and access the LAPS managed passwords as needed.

What are the limits/restrictions on OVERLAPS?

There aren't any. We don't specify a time limit, user limit or device limit. Once you've purchased OVERLAPS once it
is yours forever, no matter how your service grows. We'll only ever require payment again if there is a major
update version released, in which case we'll make a significantly reduced upgrade price available to existing customers.

What are the differences between OVERLAPS and OVERLAPS Pro?

When we introduced some additional powerful functionality to OVERLAPS we released it as a "pro" version simply to distinguish
it apart from the "classic" version. The update was released free for all existing customers, and the "classic" version is
no longer available for purchase or download.

How much does OVERLAPS cost?

OVERLAPS is currently on sale for the reduced price of 543.58 kr. This is sort of an introductory price,
and may increase to a more permanent price without warning.

Where can I purchase OVERLAPS?

Security First Approach

Self-hosted and featuring full SSL/TLS encryption and
Kerberos authentication capabilities,
OVERLAPS has your network security at the forefront of its design.

Easier to manage than Active Directory permissions, OVERLAPS allows you
granular control over who can access passwords down to the Organisational Unit.

OVERLAPS leaves the password management to LAPS. It doesn't store, transmit or share
any confidential information with third parties. It only allows access to existing data
by the users that you authorise.

End-to-end Encryption over SSL/TLS

Whether its a full certificate chain or self-signed certificate for intranet usage, OVERLAPS wants to make
sure your communications are secure so supports full SSL/TLS (HTTPS) encryption.

Simpler Permissions

Active Directory permissions are notoriously difficult to interpret and manage, so OVERLAPS simplifies this
by implementing a easy-to-manage user/group management system and per-OU permissions to make controlling who
has access to the LAPS managed passwords much easier.

Internal Security

OVERLAPS simply acts as the intermediary between your users and the LAPS managed passwords in Active Directory.
In order to guarantee your service security, it will never record or store any of the passwords.

It requires absolutely no connection to the internet as it doesn't transmit or receive anything either to/from our servers or
to those of third parties. This allows you to setup the OVERLAPS computer/server in any security configuration you want,
be that completely locked down behind your firewall, or in a DMZ.

Easier to Use

Make it easier to gain access to managed Administrator passwords. Users can navigate your
existing domain and simply click computers to view their current L.A.P.S. managed administrator
password.

Reduce the overheads of deploying tools or teaching PowerShell to your users by unifying
access under one simple web interface.

Control Access

Control exactly who can view managed Administrator passwords at the Organizational Unit level.
Add users or groups and select which Organizational Units in your Active Directory domain that
they'll have access to.

Monitor Usage

OverLAPS maintains a record of each user request to view a computer password. This makes
auditing the use of LAPS controlled passwords a cinch, and helps to improve the overall
security of your network.

Only those users to specifically select can view this audit trail, so that responsibility
can easily be delegated to an internal security or monitoring team without compromising
log security.

Registered Office Address:

Int64 Software Ltd agrees to only store your contact details for as long as they remain relevant with
regards to your query. By using this form we promise not to add you to any mailing lists, or to pass
your details on to any third party companies. For more information, please see our
Privacy Policy.

I agree to Int64 Software storing my contact information solely for use in responding to my query. (required)

This website uses cookies

We use cookies to improve your experience on our site. Most of this is for core functionality, like our shopping cart, or logging in
to our members section, but we also use it to help understand how our site is being used in order to continue providing a great
service. If you'd like to know more, please view our Privacy Policy.